Policy | Security | Investigation

retain 7 years

January 23, 2010

Professionals, business people, and government employees are increasingly using Facebook and other social media for official business, often as agents of their employers. Commonly, the employers are required or well-advised to make and keep records of the employees’ social media communications.

This issue arose in a workshop that Messaging Architects and I led at a sizable enterprise (having about 8000 employees). The purpose of the workshop was to establish policy on the retention of electronic records. The workshop pulled together representatives of disparate stakeholders within the enterprise, including the IT, legal and compliance departments.

Workshop participants, including representatives from human resources, feared that employees would ignore a policy that forbids them from using text messages, Facebook and Google Buzz to transact business. So the workgroup drafted this language for adoption as HR corporate policy:

“If an employee uses electronic messages for business, outside an enterprise email system account, the employee is expected to strive to make records of the messages such that they are within the control of the enterprise.”

Facebook allows a user to submit many of his postings via email. So at http://www.facebook.com/mobile/?v=web Facebook shows the user that if he sends some text to a special email address, then the text will be posted as coming from the user.

For example, . . .
here is a screenshot of a message I posted from my email account:

Facebook posts this kind of incoming email as a status update to the user’s Wall. Note that when a user like me submits text via email, the only text that appears on the user’s Wall (status update) is the text in the subject line of the user’s email. If the user writes anything in the content of the email, Facebook seems to ignore it and seems not to post it.

Thus, in the example above, I wrote all the text in the subject line of the message from my email account to my FB account.

If an employee were to submit to FB by way of her employer-controlled e-mail account, then the account would retain the submission according to whatever record retention/destruction policy the employer has set – 90 days, seven years, or whatever. [Interesting questions: In the employer's email system, are there limits to the number of characters that can be transmitted in the subject line of an outgoing message and can be stored in the record of that message?]

A FB user can submit more than text from his email account. The FB user can also submit a photo (or even a video). FB posts the photo on the user's Wall, with text taken from the subject line of the email. For instance:

So . . . the above is one convenient way for a business professional to store her Wall posts into her employer's email system, such that the posts will be preserved for audit, inspection, supervision, ediscovery, litigation hold and the like.

I argue that email archives are the starting place for any enterprise that wishes to maintain electronic records for legal compliance purposes. I argue the same goes for Twitter.

My ideas here leave scads of answered questions, such as how to record comments that others post on the user's Wall.

–Benjamin Wright

Mr. Wright teaches IT and records management law at the SANS Institute, where social network law is part of the curriculum. He chairs a (proposed) SANS conference on e-records and e-discovery slated for Las Vegas, September 2010.

November 27, 2008

Canada is in the process of adopting new rules on the retention of electronic records by securities firms such as stock brokerages. The rules will impose rigorous requirements for preservation and availability of records for e-mail, text and other communications between firms and their clients.

The rules are part of proposed National Instrument (NI) 31-103, which will install a new nationwide regime for regulation of securities firms. Although authorities hoped to have made NI 31-103 effective as of March 31, 2009, they are still refining it. They anticipate publishing the next draft around April 1, 2009, with implementation beginning sometime after that.

Even though the rules are not yet final, firms can see that the new retention requirements are coming. They are wise to begin e-record retention now. NI 31-103's new requirements are consonant with the larger trend in society to expect that enterprises keep plentiful electronic records.

Proposed Section 5.5: “In most circumstances, registered firms should maintain the following records to satisfy subsection 5.15(1)(a) . . . all e-mail, regular mail, fax and other written communications with clients.”

What are the standards for record retention? Seven years is an important time period. Proposed Section 5.16:

"(1) A registered [securities] firm must keep its records safe and in a durable form.(2) For a period of two years after the creation of a record, a registered firm must keep the record in a manner that permits it to be provided promptly to the regulator, and thereafter the record may be kept in a manner that permits it to be provided to the regulator in a reasonable period of time.(3) A record provided under subsection (2) must be in a form that is capable of being read by the regulator.(4) A registered firm must keep (a) an activity record for seven years from the date of the act, and (b) a relationship record for seven years from the date the person or company ceases to be a client ofthe registered firm."

So 5.16 generally provides for shorter retention for “activity records” (seven years from the date of the act) than for “relationship records” (seven years after the client ceases its engagement of the firm).

5.16 goes on to define "relationship records" (which relate for example to the ongoing relationship between a firm and its customer) and “activity records” (which relate for example to specific purchase and sale transactions). In particular instances, however, the difference between an activity record and a relationship record could be indistinct and unclear. An e-mail can contain both activity information and relationship information. Under a conservative interpretation, this lack of clarity could militate toward keeping even presumably “activity” records longer than seven years.

US securities firms have been dealing with similar record retention rules for a decade, and the US experience is a useful guide for Canadian firms. In 1997 the US Securities and Exchange Commission expressly required securities firms to store certain client communications such as e-mail under SEC Rule 17a-4. As new technologies have emerged, the requirements have been read to include them. For example, NASD Rule 03-33 specifically interpreted 17a-4 to include instant messages.

On several occasions US regulatory authorities have penalized firms for poor electronic records retention practices. For example the New York Stock Exchange fined J.P. Morgan $2.1 million.

As a matter of practice, compliance with rules like Rule 17a-4 and NI 31-103 can be easier if electronic messages are stored in a dedicated message archive server rather than in a production e-mail server or in network backup.

There is no reason in principle why such rules would not be read to include records of new forms of communications as they arise – such as postings on a message “wall” in a social networking environment like Facebook or Ning or txt or video communications via Skype.

October 21, 2008

Many state government archivists publish record retention schedules for state agencies. Often these schedules (or statements related to them) address e-mail records. Many of the 50 official state schedules for e-mail retention are collected at this LINK. If you study all these schedules, you will hear many conflicting ideas.

For e-mail, at 450102 North Dakota says, "Retain in office until the record status is determined, but no more than 15 days, then delete. If the e-mail message is an official record made orreceived pursuant to law or in connection with the transaction of official business,the retention period should be covered by an existing record series."

Whoa. That language might easily be interpreted to require really fast destruction as the default. That default would be subject to someone making a decision that an important e-mail is in fact important. If one were to interpret this Schedule to require quick deletion of most e-mail, that interpretation would seem hazardous under present trends in litigation. As I've argued elsewhere, the legal system is giving all enterprises, including state agencies, incentive to be generous in e-mail retention.

As the volume of e-mail, text and other e-messages soars, employees don't have time to "determine the record status" of all those messages. Further, the making of such determinations on a message-by-message basis can be a waste of government resources (employee time).

Electronic messages can have subtle and unexpected legal effects. Cloud Corp. v. Hasbro, 314 F.3d 289 (7th Cir. 2002), for instance, interpreted a bunch of informal business e-mails as modifying a formal, paper-written contract. The e-mails were interpreted as modifying the contract, even though the contract itself said it could be modified only by a “signed writing.”

Thus, many of the e-mails to and from important agency officials could affect contracts or other important matters, even though they are not formally labeled "contracts" or "employment decisions."

Let's turn back to North Dakota’s Retention Schedule. At 300101 it says, "This series contains contracts, leases, agreements, and competitive solicitations entered into by the department. Includes all back-up and closeout materials. RETENTION: Retain in office for the life of the contract plus six years . . ."

Scads of informal-looking e-mails might qualify as contract "back-up materials." The process of judging whether a particular communication does or does not constitute contract "back-up material" is not easy. Reasonable, well-educated people can have different points of view on that topic. Further, many casual-sounding e-mails might be both contract "back-up material" and relevant to other long-term legal matters like employment. Any given e-mail might fit into multiple categories, each with a different retention period.

In addition, some employees go on vacation or sick leave. Should their e-mail still be deleted in 15 days? One might read the literal words of the Retention Schedule as requiring 15-day deletion, but that reading defies common sense.

At bottom, North Dakota's Retention Schedule is filled with conflicts and causes practical dilemmas. How should it be interpreted?

If I were a records professional at a North Dakota agency, I would be loath to delete the e-mails of important people in 15 days. In view of the contradictory guidance in the state’s Retention Schedule, I might reasonably interpret the Schedule as calling for generous retention of e-mail belonging to important administrators. A responsible interpretation might call for a seven-year retention period – subject to special effort to cull (screen) out really important records that must be kept longer.

Mr. Wright teaches e-discovery and e-records policy law at the SANS Institute.

[Footnote: I've discussed North Dakota here, for no particular reason. I might have just as easily chosen any other state . . . California, Florida, Georgia, New York, Illinois, Pennsylvania, Missouri, Ohio, Virginia, Colorado, Oklahoma, Arizona, Utah, Nevada, Washington . . . who knows. In writing this post, I did not research North Dakota law beyond what I cited. I acknowledge that an expert in North Dakota administration law might point to other features of the state's law (cases, rulings and so on) that suggest different interpretations.]

The institution retains those three classes of data in a dedicated archival system (more than just normal production records and backup).

East Carolina retains e-mail of top school administrators seven years, then purges it. In my experience, seven years is the traditionally-recognized period for responsible retention of important financial records.

To reduce costs, the university retains archives in tiers. Newer or higher-priority archives are in higher-performance "primary" storage, whereas older archives are relegated to slower storage, outside the network backup program.

On the topic of tiers, I’ll go one step further than what I read about East Carolina U. I envision another, even lower and less expensive tier, where archives are retained and organized but not accessible by fully-automated means.

From the perspective of e-discovery theory, a rationale for tiered storage is this: E-discovery law is most intolerant when records are destroyed too early. In the e-records world, too-early destruction is the most common type of "spoliation" or "obstruction of justice". E-discovery law is also intolerant (but maybe a bit less so) when a litigant possesses records, but she doesn’t know it and can’t find them.

Finally, e-discovery law seems to be more tolerant when a litigant possesses records, knows she possesses them, knows more or less where they are, but just can't get to them very easily. When this is the case in a lawsuit, a litigant is much less likely to be charged with spoliation. Instead, the plaintiff and defendant are prone to go before the judge and argue about the extent to which the dusty old e-archives are important and about who should pay for how much of the cost of retrieving them.

IT Administrators

Twitter

Wright's Google Profile

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He is a pioneer in the promotion of public relations to address Internet legal issues and crises. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

E-mail Mr. Wright

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly, formally agree that the relationship is being formed. He does not give advice to non-clients.